
Summary
This rule aims to identify rapid succession executions of common reconnaissance commands that may indicate automated activity from malicious actors following an initial system compromise. Initial access broker malware typically employs a variety of discovery commands (such as 'whoami', 'systeminfo', 'ipconfig', etc.) to gather information useful for lateral movement or escalating privileges. Given that these commands can also be part of legitimate user activity, the rule focuses specifically on instances where they occur in quick succession – defined as within a 2-minute window. By analyzing endpoint data collected from EDR logs, the rule filters out specific benign processes, ensuring that detected activities are likely indicative of malicious reconnaissance efforts. The analysis leverages indicators of multiple command executions to highlight potentially suspicious behavior, contributing to early detection and incident response efforts.
Categories
- Endpoint
- Windows
- Linux
Data Sources
- Process
- User Account
- Logon Session
- Application Log
ATT&CK Techniques
- T1033
- T1087
- T1057
- T1082
- T1007
- T1497.001
- T1049
Created: 2024-02-09